Risk Assessment and RiskNetherlands), F. Zuccarelli (D'Appolonia, Italy), all members of CIB TG32. Gratefully use as been made of comments given by the Joint Committee on Structural

Risk Assessment and Risk Communication in Civil

Engineering

CIB Report: Publication 259

Editors: A. Vrouwenvelder

B. M. Holicky C. P. Tanner

D. R. Lovegrove E. G. Canisius

CIB Working Commission TG32 Public Perception of Safety and Risks in Civil Engineering

(joint CIB - IABSE Group)

Published by: CIB General Secretariat

ISBN: 90-6363-026-3

February 2001

Copyright @ 2001 by CIB

Preface

The design of buildings and civil engineering structures involves a consideration of safety, lifetime performance and environmental aspects. The risks may be related to structural collapse, collisions explosions and fires in buildings and in tunnels, flooding, accidents at industrial or nuclear plants, and so on. In this hdamental area of decision making about the safety, engineers have to communicate with their clients and the general public or, more usually, the politicians on its behalf. Communication between engineers themselves and between engineers and authorities, their clients or the general public is often difficult. Further the perception of some actual failure and the over-reaction to it, by both the public and the authorities, frequently prevents a rational treatment of similar structures in the future. In this report, the various aspects of this challenging subject are addressed. Both the risk evaluation and the decision making process will be treated. The fundamental question is "How much safety does society really need and what is it prepared to pay for that level or for a higher level is it insists"? Applications may be in all fields of building and civil engineering or in other fields where similar decisions are integral to the design process.

The report was prepared by A. Vrouwenvelder (TU-DelftITNO, The Netherlands), M. Holicky, (Klockner Institute, Check Republic), P. Tanner (CSIC, Spain), R. Lovegrove (BRE, UK) and G Canisius (BRE, UK).

Contributions and comments were received from H.E. Alinaitwe (Makerere University, Uganda), L.M. Alves Dias (IST - Technical University of Lisbon, Portugal), M. Ben-Bassat (Ministry of Construction and Housing, Israel), H. Gulvanessian (BRE, United Kingdom), J.F. Dickie, mr. Fang Dong Ping (Tsinghua University, China), mr. Hae-Sig Lim (HRI - Korea National Housing Corp., Z-Korea), 0 . Koskisto (Technology Development Centre Tekes, Finland), R. Lagana (DASTEC, Italy), R.H. Leicester (SCIRO, Australie), H. Okada (BRI, Japan), T. Saito (BRI, Japan), Y.E. Suurenbroek (Technical University Twente, The Netherlands), F. Zuccarelli (D'Appolonia, Italy), all members of CIB TG32.

Gratefully use as been made of comments given by the Joint Committee on Structural Safety.

TABLE OF CONTENTS

Preface

TABLE OF CONTENTS

LIST OF SYMBOLS

1. INTRODUCTION

2. RISK ASSESSMENT - A General Overview 2.1 Introduction 2.2 Hazard identification 2.3 Risk estimation 2.4 Risk assessment, decision-making and optimization 2.5 Concluding remarks

3. APPROACHES FOR RISK ASSESSMENT 3.1 Hazard scenarios 3.2 Identification techniques 3.3 Methods of reliability and risk evaluation 3.4 Approaches to risk analysis

4 RISK ACCEPTANCE -SAFETY CRITERIA 4.1 Introduction 4.2 Individual acceptable level of risk 4.4 Economic criteria 4.5 Combination of the criteria

5. RISK COMMUNICATION 5.1 Why communicate about risks? 5.2 Perceptions and understandings 5.3 The basic rules of Risk Communication to the public 5.4 Closure

6 CONCLUSIONS AND RECOMMENDATIONS

REFERENCES

ANNEX A DEFINITIONS ANNEX B CASES ANNEX B. 1 Performance Deficiency of Department store ANNEX B.2 Flood protection in The Netherlands

ANNEX B.3 Ronan Point Tower (1968) ANNEX 8.4 The piper alpha oil platform disaster l)

LIST OF SYMBOLS

A

C O

c/ D E( . I..) f (-1 F F(n) g(..> J k

Nd P (...) P ( 4

P(dlei) P(target i) PF PFi r R R, Srep

X d

x X r ep

Y

parameter, (imaginary acceptable probability for n= 1) investment in a safety measure damage costs in year j

damage conditional expectation probability density function failure event F-n-curve limit state function number of the year slope of the F-n-curve in a log-log-diagram number people being killed in one year in one accident probability of some event annual death probability probability of event i probability of being killed if accident event ei occurs the target value for activity i failure probability probability of failure in year j real rate of interest risk representative value of the capacity representative value of the sollicitation value of the basic variable X at the design point random variable representative value of the basic variable decision parameter

YR partial factor for the capacity

Ys partial factor for sollicitations Yx partial factor for X

1. INTRODUCTION

The design of building structures and civil engineering works structures involves the consideration of safety, lifetime performance, environmental aspects and economics. To an engineer, the "risk" associated with a hazard is a combination of the probability that that hazard will occur and the consequences of that hazard (the "threat"). Consequences to be taken into account include:

Injury, or loss of life, due to structural collapse; Reconstruction costs; Loss of economic activity Environmental losses

In all cases, the safety issue has to be addressed either explicitly or implicitly.

When explicitly addressed, a risk analysis is carried out and the result is compared with safety targets set in terms of the maximum acceptable risks. The most appropriate level for the maximum acceptable risk, of course, may depend on the cost associated with providing that level. When implicitly addressed, the designer makes a design-judgement, based on experience, which is deemed reasonable for the type of structure concerned but without quantifying the risk.

The first of these is the more scientific, and gives a rationale for decision-making. This report is primarily aimed at improving that aspect. However, in chapter 3.4 the relation between the implicit and explicit methods will be discussed.

The fundamental problem to be addressed is that of deciding the "maximum acceptable risk". Here, the use of the term "acceptable" raises immediately the question "Acceptable to whom?" And the second question is to actually assess the opinion of those involved about what is acceptable or not. Whatever way this problem is addressed, one thing is clear: fundamental levels of safety have to be acceptable to society as a whole, for it is on their behalf that engineers make such decisions.

In practice, the views of the society or the public will often be represented by those of their elected politicians. These can normally be expected to be at a very general level of attitude- setting, and are very unlikely to involve precise figures. Politicians will rightly set the Agenda, in terms of basic attitudes. But when it comes to quantifying the details of "maximum acceptable risk" then it is, in theory, necessary to turn also to the public in order to assess their opinions. The fundamental problem with this is that the public apparently do not usually interpret "Risk" in the same way as do engineers. It seems that the everyday, layman's concept of "Risk" is a very complex concept which is very difficult to identify but

which can sometimes be closely associated with "Threat", so that Hazards with high consequences are then highly ranked despite having extremely low probabilities of occurrence.

Two examples from the UK will serve to show the differing attitudes that the public can take.

Ronan Point collapse, 1968.5 deaths. This occupied the news media for several days, and had ramifications not only in the UK but throughout the world generally. Consequences included the modification of building codes & regulations and contributed to a fundamental change in the public's attitude towards high-rise accommodation. Traffic accidents, every year 1000 deaths. Very approximately, 1,000 or more people a year are killed in the UK in traffic accidents. An accident involving 5 fatalities usually makes the local news but not normally the national news other than in a relatively minor way.

Why should two incidents, involving the same number of fatalities, cause such differing reactions? Is it, for example, that the public are used to traffic accidents, but are not used to having buildings fall down? If so, then it might be possible to gauge the public's reaction to an adverse event by looking at frequency of occurrence. Or is it due to a feeling of lack of control? Or is it due to the way that incidents are reported (an important factor, here, is the role of the media in shaping public opinion)? Or somethmg else? Questions such as these need to be asked, and answered, if the engineering profession is to make informed judgements about the acceptable levels of risk which they should adopt.

It is this which the work of WG 3 2 has addressed, and which is the subject of this report. The key to a good communication about risk is a set of proper definitions and clear procedures. This is the topic of the Chapters 2 and 3. Chapter 4 deals with acceptance criteria as commonly formulated. Standardisation in this field may also contribute to a better communication about risks and their acceptance. Finally, in Chapter 5 the item of communication with the general public will be addressed in more detail.

This document contains two Annexes: Annex A summarises the system of definitions that have been used in this document. Annex B presents four cases of structural failures that have lead to extensive communications between the engineers and the outside world.

2. RISK ASSESSMENT - A General Overview

2.1 Introduction

The general procedure of the risk assessment of civil engineering systems outlined here, follows the basic concepts presented in documents [2.1 to 2.61. The risk assessment of a system is an important part of entire risk management schematically indicated in Figure 2.1, which is adapted mainly from [2.2].

Risk management Risk Communication I

I I

Figure 1 h

Risk assessment

1 I

I

p z q identification

Risk control

p q estimation

I I

Option Decision- Monitoring analysis making

Risk analysis

Figure. 2.1 A framework for risk management (inspired by [2.2])

Risk acceptance

According to Figure (2.1) risk management is considered as the highest level when dealing with risky activities and systems. It comprises the assessment procedures , the daily monitoring and control part and, last but not least, the communication between all parties involved. This report will deal primarily with assessment and communication.

The system is understood [2.2] as a bounded group of interrelated, interdependent or interacting elements forming an entity that achieves in its environment a defined objective through interaction of its parts. In case of technological hazards related to civil engineering works, a system is normally formed from physical subsystem, human subsystem, their management, and environment. Note that, similarly as in most systems, risk analysis of civil engineering systems usually involves several interdependent components (e.g. human life, injuries, economic lose).

2.2 Hazard identification

The risk assessment of a system consists of the use of all available information to estimate the risk to individuals or populations, property or the environment, from identified hazards, the comparison with targets and the search for optimal solutions. The first step in the analysis involves the context (scope) definition related to the system and subsequent identification of hazards. It is also referred to as the Qualitative Risk Analysis, as opposed to the Quantitative Risk Analysis where consequences, probabilities and risks are quantified.

A hazard is defined here as a set of circumstances, possibly occurring within a given system, with the potential for causing events with undesirable consequences. For instance the hazard of a civil engineering system may be a set of circumstances with the potential to an abnormal action (e.g. fire, explosion) or environmental influence (flooding, tornado) andlor insufficient strength or resistance or excessive deviation from intended dimensions. In the case of a chemical substance, the hazard may be a set of circumstances likely to cause its exposure [2.2].

Hazard identification and modelling is a process to recognise the hazard and to define its characteristics in time and space. In case of civil engineering systems the hazards Hi may be linked to various design situations of the building (as defined in [2.7]) including persistent, transient and accidental design situation. As a rule Hi are mutually exclusive situations (e.g. persistent and accidental design situation of a building). Then if the situation Hi occurs with the probability P{Hi}it holds ZP{H,} = 1. If the situations Hi are not mutually exclusive, then the analysis becomes more complicated.

Note that in some documents (for example in the recent draft of EN 1990 [2.7]) the hazard is defined as an event, while in risk analysis [2.2] it is usually considered as a condition with the potential for causing event, thus as a synonym to danger.

A Hazard scenario is a sequence of possible events for a given hazard leading to undesired consequences. To identify what might go wrong with the system or its subsystem is crucial task to a risk analysis. It requires detail examination and understanding of the system [2.6]. IVevertheless, a given system is often a part of a larger system. Consequently, modelling and subsequent analysis of the system is a conditional analysis.

The modelling of relevant scenarios may be dependent on specific characteristics of the system. For this reason a variety of methodologies have been developed for identification of hazards (e.g. FMEA, PHA, HAZOP) and for modelling of relevant scenarios (fault tree, event treeldecision trees, causal networks). Detailed descriptions of these methodologies is beyond the scope of this document, but may be however found in [2.6,2.9] and other literature.

2.3 Risk estimation

Probabilities

Probability is, generally speaking, the likelihood or degree of certainty of a particular event occurring during a specified period of time. In particular, reliability of a structure is often expressed as probability related to a specific requirement and a given period of time, for example 50 years [2.3 - 2.71. If the probability is give for a unit period of time (e.g. a year) one might alternatively (or even better) use terms like occurrence rate of frequency. We will stick here however to the term probability

Assuming that a system may be found in mutually exclusive situations Hi, and the failure F of the system (e.g. of the structure or its element) given a particular situation Hi occurs with the conditional probability P{I;lHi}, then the total probability of failure pF is given by the law of total probability (see for example [2.9]) as:

Note that the failure event F in itself may be a compound event, for instance of the type:

Equation (2.1) can be used to modify partial probabilities P{H,}P{flH,} (appropriate to the situations Hi) with the aim to comply with the design condition p~ 0 the non failure domain of a structure.

If the joint probability density fx(xlHi) of basic variables X given situation Hi is known, the conditional probability of failure P{I;lHi} can be then determined [2.8] using the integral

It should be mentioned that the probability P{qHi) calculated using equation (2.2) suffer generally from two essential deficiencies:

- uncertainty in the definition of the limit state function g(x), - uncertainty in the theoretical model for the density function fx(x(Hi) of basic variables X [2.8].

These deficiencies are most likely significant causes of observed discrepancy between determined probability pF and actual frequency of failures. That is why the probability of failure pF is often regarded to as notional probability that may be, however, disturbing in practical interpretation of obtained results [2.10]. Yet, the probability requirement p~ < p, is generally accepted as a basic criterion for design of structures.

In a risk analysis we need to know not only probability of the structural failure F but probabilities of all events having unfavourable consequences. In general, the situations Hi may cause a number of events eV (e.g. excessive deformations, full development of the fire). The required conditional probabilities P{eVIHi) may be estimated by a separate analysis using various methods, for example fault tree method or causal networks.

Consequences

Consequences are possible outcomes of a desired or undesired event that may be expressed verbally or numerically to define the extent of human fatalities and injuries or environmental damage and economic loss [2.1]. A systematic procedure to describe andlor calculate consequence is called consequence analysis. Obviously consequences are generally not one- dimensional. However in specific case they may be simplified and described by several components only, e.g. by human fatalities, environmental damages and costs. At present frequently various costs are usually included only. It is assumed that adverse consequences of the events Ev can be normally expressed by several components Cgk, where the subscript k denotes the individual components (for example number of lost lives, number of human injuries and damage expressed in a certain currency).

Risks

Risk is a measure of the danger that undesired events represent for humans, environment or economic values. Risk is commonly expressed in the probability and consequences of the undesired events. Often it is estimated by the mathematical expectation of the consequences of an undesired event. Then it is the product "probability x consequences". However, a more

general interpretation of risk involves probability and consequences in a non-product form. This presentation is sometimes useful, particularly when a spectrum of consequences, with each magnitude having its own probability of occurrence, is considered [2.2].

As already stated above the risk estimation is based on hazard identification and generally contains the following steps: scope definition, frequency analysis, consequence analysis, and their integration [2.2]. If there is one-to-one mapping between the consequences DU,, and the events eU, then the total risk Rk related to the considered situations Hi is the sum

If the dependence of consequences on events is more complicated than just one-to-one mapping, then equation (2.3) will have to be modified. A practical example of equation (2.3) can be found in [2.10], where an attempt to estimate risk due to persistent fire design situation is presented.

In some cases it is possible to deal with one-component risk R only. Then the subscript k in equation (2.3) may be omitted. Moreover, probability of undesired events may depend on vector of basic variables X. Then the total risk R may be formally written as

where R(x) denotes degree of risk as a function of basic variables X, and fdx) denotes joint probability density function X. In many cases the following alternative formulation is more convenient:

where PFis a failure probability and E(DJF) the expectation of the damage given that a failure has occurred. The failure probability can then be calculated by efficient procedures as FORM and SORM [2.x], and the damage expectation may be based on a suitable approximation. This point will be further discussed in chapter 3.

2.4 Risk assessment, decision-making and optimization

Decision-making is generally based on the process of risk acceptance and option analysis (see Figure. 2.1) that is sometimes referred to as risk assessment. Risk acceptance is based on various criteria of risk that are reference points against which the results of the risk analysis are to be assessed. Criteria are generally based on regulations, standards, experience, andlor theoretical knowledge used as a basis for decision about acceptable risk. Acceptance criteria and criteria of risk may be sometimes distinguished [2.1]. Various aspects may be considered, including cultural, social, psychological, economical and other aspect [2.6]. Generally acceptance criteria may be expressed verbally or numerically [2.6].

Assuming for example that the acceptance limits Ck,d for the components Ck are specified, then it is possible to design the structure on the basis of acceptable risks using the criterion Ck c Ck,d, which may supplement the probability requirement p~ c p,. For more details: see chapter 4.

It should be noted that various levels of risk might be recognised, for example acceptable risk, tolerable risk, and objective risk (see definition of theses terms) [6] . It is remarkable fact that the public seems to be generally better prepared to accept certain risks than to stand for specified probabilities of failure [2.8]. See also chapter 5.

If risks are considered as too large for direct acceptance, one should look for adequate counter measures. When planning counter measures, the mentioned techniques for the recognition of possible hazards are very helpful. The aim is to detect those events or processes, where with a small effort an important effect can be obtained. Possible measures can be technical or administrative, and can fall in the following strategies:

- Reduce the cause of the risk. -Avoid the risk by changing the concept or the objectives. - Control the risks by using suitable alarm systems, vigilance, inspections, etc. - Overcome the risks by providing an adequate capacity.

The possible measures can and should refer to all phases of the realization, use and demolition of the engineering facility. The further analysis should mainly be concerned to find out whether or not certain countermeasures should be taken or not. In general an economic balance between the counter measures and risk reduction should be achieved. In cases one simply has to accept the (remaining) risk. This topic will be re-addressed in chapter 4.

2.5 Concluding remarks

Risk is commonly estimated by the mathematical expectation of the consequences of an undesired event that often leads to the product "probability x consequences". As a rule risk of civil engineering systems is multidimensional quantity having several components.

Risk analysis is based on hazard identification and generally contains the following steps: scope definition, hazard identification, definition and modelling of hazard scenarios, estimation of probabilities, estimation of consequences, estimation of risk and decision-making.

3. APPROACHES FOR RISK ASSESSMENT

3. RISK ASSESSMENT

3.1 Hazard scenarios

Any technical system is exposed to a multitude of possible hazards. In the case of civil engineering installations or facilities, these hazards include both, those from the environment (wind, temperature, snow, avalanches, rock falls, ground effects, water and ground water, chemical or physical attacks, etc.) and those from human activities (usage, chemical or physical attacks, fire, explosion, etc.). Furthermore, the importance of hazards due to human errors can be decisive.

Usually, different hazards occur together in space and time. Such situations may lead to higher risks than those corresponding to the individual hazards. The recognition of these situations is the first step of the so-called scenario approach (see also section 2.3). Further steps are the evaluation of these hazards (including determination of the risks corresponding to the different scenarios), and the planning of preventive measures (section 2.4). The qualitative identification of hazards is possibly the most important step of the approach. Indeed, once the potential hazards and combination of hazards are recognized, usually it is relatively simple to adopt appropriate measures to overcome their consequences. Due to their importance, some hazard-identification techniques are presented in section 3.2. The second major step in risk analysis, the estimation of probabilities and consequences, is treated with in sections 3.3 and 3.4 where an overview of advanced and simplified risk analysis techniques is given.

3.2 Identification techniques

Various techniques exist that may help the engineer to recognize possible hazards. These techniques present some common characteristics in the sense that they are all based on asking questions. Once the right questions are asked, the identification of potential hazards is relatively easy. Therefore, all the mentioned techniques require imagination and creativity.

When searching for possible hazards, it is essential that already at the concept stage of a new engineering facility the whole process of its construction, use, repair andlor its future replacement or demolition is taken into account. To do so, not only the application of creative techniques or strategies is helpful. Extensive use should also be made of experience, e.g. by referring to specialized literature related to the problem at hand.

Hazard and Operability Study

Different strategies of thinking with a view to identifying possible hazards and hazard scenarios are known under various names, e.g. Hazard and Operability Study (HAZOP), What-if Analysis, or Failure Mode and Effect Analysis (FMEA) [3.1]. In daily practice, the goal is to recognise all possible hazards related to a particular problem. In order to reach this goal, a combination of different of these strategies, which are listed below, is to be applied.

In a chronological analysis, the whole process, step by step, has to be established in mind. Typical questions to be asked are: What will occur, where and when? In a utilization analysis questions concerning the planned use of the future engineering facility are to be raised: What equipment or machines will be used? What influence do they have? What could go wrong? In an influence analysis it is looked at influences from the natural environment and from human activities. New situations have to be anticipated, which could make initially harmless influences dangerous. Furthermore, it must be looked at individual hazards that alone would be negligible, but in combination become dangerous. Energy analysis: Where and in what circumstances potentials due to different energies (gravity, kinetic, chemical, thermal, electrical, etc.) could lead to a hazardous situation? The failure of an energy supply can also constitute a danger. In a material analysis it has to be looked, for example, at the durability, combustibility, toxicity, or explosiveness of the used raw materials or end products. Examining interfaces, hazards can be anticipated where different materials are in contact, or where information has to be transmitted, or where responsibilities are not clearly defined.

Morphological thinking is a method developed in [3.2] that is aimed at identifying all possible problems and their solutions. In a further step, these theoretically possible problems are then reduced to the really important ones which are to be tackled in the further analysis.

Logic trees

The application of logic trees (fault tree, event tree, cause-consequence chart) contributes to introduce some order, completeness and clarity into the engineering work. The use of this kind of tool is very widespread in risk analysis and implies some important advantages. Influences from the environment and from human activities can easily be considered simultaneously. Logic trees also can contribute to detect the most effective countermeasures. Furthermore, they are easy to understand and therefore very helpful for communication purposes with non-experts.

A fault tree can be defined as a logical diagram for the representation of combinations of

influences that can lead to an undesired event. Simple examples are represented by the figures 3.1 and 3.2, belonging to the fields of fire and structural engineering, respectively. When establishing a fault tree, the undesired event constitutes the starting point. Going out fkom this event, the possible causes are to be identified. Possible causes and consequences are to be linked in a logic way, without introducing any loops. Every event that is not a consequence of a previous event has to be considered as an independent variable [3.3].

After a failure event, fault trees can be used in order to clarify the causes in case that they should be unknown. The most common application, however, consists in detecting possible causes of undesirable events before they can occur. Since fault trees also show the possible consequences of events, they are very useful for the establishment of the most accurate measures for prevention from these events.

home extinguisher fails

OR r W AND

extinguishing extinguisher too late

AND

ignition detection

Figure 3.1 : Fault tree for fire risk analysis

no self extinguishing

ignition detection

Going out from an initial event, an event tree identifies the possible subsequent events. Each path consists of a sequence of events and ends up at the consequence level (Figure 3.3). The aim is therefore the establishment of possible consequences of an initial event. In a second step, the event tree also can be used for the calculation of probabilities of

occurrence of these consequences.

Figure 3.2: Fault tree representation of the failure mechanisms for a @ame (according to [3.4 1)

CONSEQUENCE

railway trafffic no acccident - small supended

no collision small

trainnot . derailed f 11:; medium

ollision

€ small

train medium derailed

railway traffic large not suspendec

very large

train not 1 warned train derailed train not derailed

€ very large

large

medium

small

- no collision small

Figure 3.3: Event tree for the Rock-fall on railway line (adaptedfiom [3.5])

The aforementioned logic trees can also be combined. To this end, a special representation is used, containing as well the causes as the consequences (cause/consequence-chart). The part with the causes corresponds basically to a fault tree. However, if necessary different undesired events can be introduced as starting points. The consequence part, on the other hand, corresponds to an event tree with a slightly different representation. The questions are formulated in a way that the answer only can be "yes" or "no". In this way, a very compact representation of complex problems can be obtained.

3.3 Methods of reliability and risk evaluation

Risk formulation

In many fields of engineering the failure of a system or element in the system is often governed by the difference between two quantities: the intensity of an action on a component or system and a corresponding capacity or limit value. Examples are:

Intensity of action (S) 1 Capacity or resistance (R) I

Normally, the quantity representing the intensity of an action should be smaller than the quantity representing the corresponding capacity or resistance. In that case no failure occurs. However, both R and S are random variables, and there exists a certain probability that S is larger than R. So the failure event can be written as:

Applied bending moment Intensity of traffic Water flow Number of passengers Number of persons 1 fire load

R-S < 0 (3.1)

Bending resistance Traffic capacity of a road Flow capacity of a river bed Capacity of a transportation system Capacity emergency exits

As a more general expression this failure event can be represented as:

Table 3.1: Examples for intensities of actions and the corresponding capacities of engineering systems [3.1]

where g(..) is the limit state condition and the X, represent the random variables. So for values of g less than zero, the technical system does not reach the corresponding requirement and we are talking about failure. In the present context we are interested in the so-called probability of failure pf:

The failure probability should always be defined for a predefined period of time. Formally, the failure probability can be represented by the relation (2.2) where f,(x) is the joint probability density function of the basic random variables Xl...Xn. Furthermore, g(x)

benefits and damages. The problem of very small probabilities and large consequences will be further discussed in chapters 4 and 5.

Finally, it is to be mentioned that probabilistic methods as referred to in the present section are possibly not aimed at the practising engineer for everyday use. There exist mainly two reasons for that. Firstly, they require a considerable knowledge about probability concepts and, secondly, very often there is a lack of information concerning the parameters of the different variables entering a problem, and in daily practice the time needed for gathering the lacking data is usually not available. Therefore, simplified methods have been developed in different fields of engineering. The aim is to verifl that equation (3.1) is satisfied by carrying out simple deterministic analysis for selected hazard scenarios. Further information on this approach to risk analysis can be found in section 3.4.

Integration and simulation methods

Figure 3.4 illustrates the joint probability distribution of R and S. The volume of the hump is 1 and the contour are concentric curves. The limit state equation G=R-S=O separates the failure domain from the non failure domain, dividing the volume into two parts. The aim of the integration defined by equation (2.2) is to calculate the volume of the failure zone in order to determine the probability of failure. Figure 3.4 shows the failure zone with respect to the joint probability distribution of R and S. It also illustrates the design point [S*, R*], which is defined as the most probable failure point on the limit state surface. The design point constitutes the key to many reliability methods for estimating the probability of failure.

The design point is illustrated in two dimensions in figure 3.5, which also shows the reliability index, P. This index is a measure of the distance of the design point [S*, R*] from the point [ps pR], measured in standard deviations. Safety with respect to a limit state function can be represented by either the probability of failure or the reliability index. It is clear, however, that the design point does not represent the failure probability exactly since more than one limit state function may share the same design point (figure 3.5 illustrates a linear failure surface). Although the design point and thus the reliability index can be the same, the probability of failure is lower for a convex failure surface than for a concave surface. The practical calculation of the failure probability can be achieved through the use of reliability methods, which are presented below.

As indicated already in equation (3.2), a limit state function usually is more complex than equation (3.1) since both, the R and S variable normally are functions of other basic variables. Probability calculations for a technical system involves therefore the determination of probability distributions that represent the uncertainty associated

with the basic variables. Based on these distributions, the practical calculation of the failure probability can be achieved through the use of reliability methods, which are either analytical or numerical. Some methods estimate reliability using a point estimator of the limit state surface. In this way the precise shape of the limit state surface, and thus the volume of the failure zone, is not considered. Examples of these methods are the First Order Reliability Method (FORM) [3.6] and the Second Order Reliability Method ( S O W ) [3.7]. For the reasons mentioned earlier, FORM does not represent the failure probability exactly since failure functions may be curves or more than one limit state function may be active. The magnitude of the error will depend on the non- linearity of the limit state surface.

,!MA design point

Figure 3.4: Failure zone with respect to the joint probability distribution of R and S

Figure 3.5: Two dimensional representation of the design point

The most easily understandable numerical method is the Monte Carlo simulation [3.8]. The exact or approximate calculation of the probability density and of the parameters of a limit state h c t i o n is replaced by statistically analyzing a large number of

individual evaluations of the function using random realizations xik of the corresponding distributions Xi. Each set of the k realizations gives a value gk. The limit state function is then checked. If the limit state condition is violated, gk < 0, the system has failed in the artificial experiment. The experiment is repeated many times, and the number n of failures is counted. Knowing the number of trials conducted, N, and the number of counted failures, n, the probability of failure, pf, can be estimated. Obviously, the number of trials required is related to the desired accuracy for py

The technique sketched above is the simplest Monte Carlo approach for reliability problems. Although it is possibly the most widely used approach, it is not the most efficient one. Its slow convergence has been a severe penalty for direct sampling techniques until the emergence of powerful computers in the last decade. This disadvantage has led to so-called variance reduction techniques. A good overview of the various strategies for variance reduction is given in [3.9]. More efficiency in the sense that, for a given level of confidence, fewer sample points are required is also obtained by the so-called importance sampling.

When performing a Risk Analysis, an advantage of Monte Carlo methods is that they can deal directly with formulation (3.4) including gradual loss functions, where FORMISORM is primarily developed for calculating thep, in formulation (3.5).

Quantitative Logic tree analysis

After the qualitative establishment of a logic tree (section 3.2), the calculation of the probability of occurrence of the undesirable top event (fault tree) or the probability of occurrence of the consequences of a given initiation event (event tree) should be performed. In the following, only some basic ideas are introduced about the estimation of probabilities by using logic trees.

In the case of an event tree, the possible subsequent events following a previous event exclude each other. Therefore, the sum of the probabilities at a gate of an event tree must be the unity. The calculation of the probability of occurrence of a consequence is very simple since it is obtained by multiplying the probabilities of the different events constituting the path that leads to the considered consequence (Figure 3.3). The difficulty lies in the establishment of the probabilities of the different events, and very often numerical values are based on subjective estimations.

In the case of a fault tree, the probabilities are to be calculated depending on the type of the logic gate. If the different components must fail at the same time (the first and the second and...), they constitute a parallel system represented by an AND-Gate. Therefore, the corresponding probability is obtained according to the multiplication rule, by multiplying the probabilities of the different components (Figure 3.2). On the other hand, if only one component must fail (either the first, or the second, or...), they

represent a series system. In that case we are talking about an OR-gate and the probability of failure is obtained by adding the probabilities of the different components.

The aforementioned rules are valid for uncorrelated events. Unfortunately these rules become more complex if the events in the fault tree are correlated. However, in order to deal with correlations, the previously mentioned calculation rules can be extended by means of transformation methods. Correlations can both, increase and reduce the probability of failure. If a car is properly maintained, then probably the engine will be in a good condition, as well as the breaks, the wheels, etc. All these forms of good maintenance may be correlated to one factor, the responsible owner of the car. Therefore, all of them may act in the same direction reducing the probabilities of failure. The opposite, of course, might also occur. Finally, there also exist correlations with approximately balanced effects.

Time dependency

In the foregoing the factor of time has not been considered. In almost all cases, however, time is an important issue. Many random variables, in fact should be treated as random processes. Some random processes are continuous by nature, as for instance wind or traffic loading. Other random processes may have a completely different nature: a phenomenon is absent for most of the time, but may pop up at certain irregular time intervals. One may refer to these processes as pulse processes. Examples are earthquakes, collisions, fires etc. The arrivals of these events are usually modelled as Poisson processes. The magnitude of the phenomenon itself may be random again. Figure 3.6 gives some clarification

The Poisson process may also be used to model the binary status ("working-failed" or "present-absent") of many electronic or mechanical devices. Warning systems like the ones in the rock fall example of figure 3.2 may have this nature. Another example is a sprinkler systems in buildings: if there is a fire, the probability of large consequences is considerably reduced if the sprinkler system works. However, there is a certain probability that the sprinkler system is out of work just during a fire event. Details of this are, however, outside the scope of this document.

3.4 Approaches to risk analysis

Explicit probabilistic approach

As mentioned in section 3.3, risk analysis implies the quantification of the probability or frequency of damagmg events and expected damages, based on available statistics, tools such as fault or event trees, or detailed knowledge from investigated events. It has also been mentioned that risk analysis according to explicit probabilistic approaches can

be used as a tool for decision making. The evaluation of risks according to decision methods is based on optimisation strategies for the chosen damage indicator. The design of a technical system or facility can therefore be carried out in a way that for example the overall cost accumulated throughout its life, including the cost of a possible failure, is minimal. The formal procedure will be treated in the next chapter. Optimisations of this type rely on a great number of arbitrary assumptions. Particularly, it should be bared in mind that probabilities of failure are usually very small and that

I 1 random /

time

load

4 random

b time

out of order

I functioning I 4

random b

time

Figuur 3.6: Upper: continuous type of loadprocess; middle: pulse type of loadprocess; lower: binary type ofprocess for electrical of mechanical type of device

for this reason numerical values depend very strongly on the assumptions made. Therefore, decision methods based on probabilistic analysis should only be used for classification purposes (from good to less good), for example for different possible solutions to the same problem. In other words, the values obtained should not be misinterpreted as absolute values, but if they are interpreted in a comparative way, decision methods supply extremely useful information.

Implicit probabilistic approach

In an implicit probabilistic verification of safety of a technical system one verifies a set

of requirements by using simple deterministic hazard scenarios and deterministic values for the basic variables. The models may be the same for both, probabilistic and deterministic approaches. Although users of these methods often claim to be fully deterministic, this is hardly to believe. In most cases in the choice of the requirements, the scenarios and the values, some notion on consequences of events and occurrence frequencies enter the process. No one is going to make calculations on hazard scenarios that either happen too often or never at all.

In structural analysis a formal link has been derived between probabilistic and deterministic methods. This link is the FORM design point. The relationship between this point, the partial factor and the representative value is given by the following expression:

Xd value of the basic variable X at the design point in a reliability analysis yx partial factor Xrep representative value of the basic variable

The requirement for safety in its simplest form can be derived from condition (3.1) and is expressed by

ys partial factor for sollicitations in a deterministic analysis

yR partial factor for the capacity in a deterministic analysis

S,, representative value of the sollicitation Rrep representative value of the corresponding capacity

Partial factors are determined according to relation (3.7), using probabilistic analysis. As mentioned, in this way safety differentiation can be incorporated in the Partial Factor Method in order to take implicitly into account the consequences of a possible failure.

4 RISK ACCEPTANCE SAFETY CFtITERL-4

4.1 Introduction

Criteria for accepting or rejecting the assessed risks include two related entities: the frequency of an undesired event and the consequences (casualties, monetary values, environmental values). In general one may state that the higher the consequences, the lower the accepted probabilities are. In more detail, the acceptance limits for a given disaster may originate from three different angles:

1. comparison with other risks related to individual safety 2. societal aversion of big disasters, especially when many casualties are involved. 3. economic considerations

Of course, in a specific situation , the three aspects should be integrated andlor prioritised. In general one may state that one strives at an economic optimum, but that the society (emotionally) and the authorities (formally) put some limits to the individual and group risks to human lives. In this chapter all three criteria will be discussed one by one. In a chapter 4.5 we will come back to the problem of the combination of the criteria.

Implicitly, in the above paragraph, already a large simplification of reality has been made: the results of a disaster have been reduced to death and money. Many other aspects, of course, play a role. Many (material) losses cannot easily be expressed in money, like destruction of pieces of art and pollution of the environments. Also people may get hurt, disabled, suffer from post traumatic depressions, live long fears, forced to relocate housing or work. In other words: risk is multidimensional and one could speak of a risk profile rather than risk [4.1]. It is extremely difficult to include all these items in the risk analysis. If one does, one needs in the end weighmg factors for all risk dimensions in order to make them comparable to each other and to relate them to the measures that must be taken for possible risk reduction. [4.2] [4.3] [4.4] [4.10].

A practical problem in risk acceptance decisions is that the group which has to pay for the safety measures and the group that profits from there, are often not the same. Groups that do not have pay directly for the measures generally want very tight rules and vice versa. The groups exposed to hazards also are not identical to the groups that profit from the risk related activity. Together with the emotional reactions to dangerous situations this may lead to an unwillingness to accept so called objective criteria. Nevertheless, the existence of objective criteria as to be presented in this chapter may make the multi party process of acceptance, negotiation and decision more easy [4.51[4.6]. This item will be further discussed in section 5.

4.2 Individual acceptable level of risk

Table 4.1 gives an overview of personal risks in developed countries. In column (b) the risk is presented as the probability per time unit of being killed when actually doing the activity mentionend in columnn (a). Such a frequency is called a fatal accident rate or FAR. Following [4.7] and [4.8] the FAR is expressed as the number of fatalities per 100 million hours (= 1 1,500 = 10,000 years). In column (d) the frequency is presented as the fatality probability per time unit averaged out over the hours doing and not doing the activity. It is expressed as a annual probability. The link between the two risk measures, of course, is the part of time spent on the activity. Formally the relation is given by:

P(A person being killed in one year) = (FARl10000) * part of time The estimated part of the time spend on the activity is mentioned in column (c). It is assumed that workers spend 20 percent of the time doing their job, while travelling is only done during 1 to 5 percent of the time. Also dangerous hobbies like climbing mountains or driving motor cycles are assumed to be done only during a small portion of the time. Some activities, like being a person between 30 and 40 years old, of course, have a time participation of 100 percent. As an example, consider the first activity, rock climbing. The FAR = 4000 /lo8 hours = 4000 I 10000 years = 0.4 /year. The part of the time a climber is really in the mountains is estimated as 11200, or say about 2 full days per year. This leads to:

P(An active rock climber being killed in one year) = 0.4 * 0.005 = 2 = 11500 It should be noted that in some tables (not here) the risks are further averaged out over all persons in a country, involved in some activity or not. This number, however, is not so much a measure of personal risk as well a measure of a social risk. A dangerous activity is a morepronounced social problem if more people are involved.

Let us now have a look at the details of Table 4.1. An almost unavoidable risk is the probability of dying from natural causes. In the developed countries this probability for a person under 50 years of age is about per year. The probability of losing one's life in normal daily activities, such as car driving or working in a factory, is in general one or two orders of magnitude lower than the normal probability of dying. Activities such as mountaineering entails a much higher risk. These numbers may be reflected as an implicit risk acceptance model by the public. Of course, people do not have those numbers actually in mind, but there seems to be a pattern that for activities considered as attractive and done voluntary much higher risks are accepted as for non-voluntary activities. Another point is how much one benefits from the activity: for a well paid job one also accepts higher risks. The lowest acceptance level can be found for activities which are involuntary and of little or no profit for the person at risk. This, however, is not an uncommon situation for the risks involved many engineering works like transport systems and industrial areas. So, in this respect for the same activity, it may be useful to distinguish between the "internal risks" and the "external risks", referring respectively to the people using the facility and profiting therefrom and the group that only experiences the risks related to the activity.

Table 4.1 Fatal Accident Rates [4/7], expressed as in column (b): the number of fatalities per 100 million hours spent on an activity in column (d): the number of fatalities per year for people involved in the activity

Anyhow, inspired on the numbers given in Table 4.1 one may define acceptance limits for the individual risk. The UK Health and Safety Executive (HSE) has defined a maximum level of individual risk which is just tolerable and a minimal level below which further action to reduce risks may not be required. The values are collected in table 4.2. Between these levels, it is required to reduce risks to levels "as low as reasonably practicable" (ALARP) that is, until the costs of further measures would be grossly disproportionate to the benefit gained.

Table 4.2 Maximum acceptable FAR values for individual risk according to the Health and Safety Executive in the UK.

Workers, all occupations (upper limit) Public at risk from industrial operations Public at risk from nuclear industry operations

Per hour activity [*lo4] 50 1

0,l

Per year per person

1 I 1000 1 I 10000 1 I 100000

Written as a formula one might state the individual risk requirement as follows:

where

p ( 4 = annual death probability P(ei) = probability of accident event i

P(dle,) = probability of being killed if accident event Ei occurs P(target zj = the target value for activity i, depending on the type of activity

The target probability for one year should be for "normal cases" as this is what society nowadays seems to accept or is unavoidable anyway. For voluntary activities, involving economic benefits or other profits a higher value may be considered as acceptable. However, if somebody is involuntary put to an unnatural risk form which he has no benefits at all, the target must be substantially lower as per year. Given the above discussion one and also looking at Table 4.2, one might set the targets as indicated in Table 4.3:

Table 4.3 Target values for individual yearly risk

1 2 3

Most important of course is type 3 where people are exposed to riskful activities by others but have no profit from it whatsoever. One might think of people living close to a plant or near a transport route of dangerous materials who have no economical bond with those activities. For this category the lo-' per year target is set as an upper limit.

In the above targets, the limits are set for a single and isolated i-th activity. What really counts for an individual is the summed up risk over all activities. Based on this idea one might deduce that the acceptable probability of the set of undesired event during one year is limited by:

Type of risk Voluntary risks / profitable or attractive activity Natural hazards Unnatural hazards / involuntary and unavoidable risk

The summing up is of course theoretically correct, but difficult to handle in practice. If for some individuals total risk is too high, which risk contribution should then be blamed and reduced? And do we include the dangerous hobbies? So in the end it is more use (4.1):

P(target) 1 o ' ~ /year 1 o4 / year 10" / year

4.3 Socially acceptable level of risk

The social acceptance of risk to human life is often presented as a so called F-n-curve. The F- n-curve indicates the border between "acceptable" and "unacceptable" in a diagram with

probability on one axis and number of casualties on the other. Formally written:

P(Nd 2 n) < F(n) (for all n) (4.3)

Here Nd is the number people being killed in one year in one accident. The probability P(Nd 2 n) depends on the probability of failure of the system under consideration and on the factors that determine the number of fatalities in case of a failure. The criterion is not applicable to frequent small scale accidents like car accidents (see later comment). It is quite customary to have two F(n)-curves as indicated in Figure 4.1 :

- one curve representing an upper limit above which activities or situations are not acceptable - another one representing a lower limit below which no further risk reductions are necessary

In the area in between risk reducing measures should be considered and judged on an economical basis. This is again the ALARP-approach (as low as reasonably practicable, see also the section on individual risk).

Figure 4.1 F-n-curves, where F(n) = P(Nd > n in one year), and the ALARP region; the curve is dotted for small n as it is not applicable in this region.

A mathematical expression in the case of a straight F-n-curve (on the log-log-scale) is often presented as: (see for instance IS0 2394):

The parameter A is the (say imaginary) acceptable probability for n=l and k determines the slope of the F-n-curve in a log-log-diagram. The value k 1 gives a line under 45'. The value of A may range from 0.001 to 1 and the value of k from 1 to 2. For relatively weak and stringent

values of A and k example F-n-curves are presented in Figure 4.2. Some examples form chosen target reliabilities have been included

Figure 4.2 The F(n) = P(Nd > n) < A nPk requirement for one year (see IS0 2394). Examples: X = the Storebelt requirement, Y = Delta works in Holland Z = Channel Tunnel design

We shall discuss some issues related to this criterion in more detail.

The Choice of the F-n-curve

The choice of the F-n-curves and the ALARP region is a matter of Safety Policy of the company or the country involved. Many types of reasoning are followed in this respect. For instance, for the Channel Tunnel the policy was that the tunnel itself should be at least as safe as the (much longer) open railway part. It is questionable whether this is reasonable. May be it is better to have the same safety as for an open air track section of the same length. Maybe the safety could even be less as it may be expensive to increase the safety in the tunnel and the advantages of a tunnel are great anyway. But this statement may be difficult fiom the psychological point of view. See also chapter 5.

The value of k

High values of k express the social aversion to large disasters. Explanations for a more than proportional decrease in the failure probability (that is k>l) may be: 1. Economy of scale in the protection of a larger number of people. Exercises based on

the econometric calculation method likewise lead to lower failure probabilities for more important consequences.

2. The effect of the social channels of communications is more intense in response to 100

deaths all at once than to 100 x 1 death. The cause lies in economy of scale in politics and the press.

3. The social disruption in more than proportional to P(d1eJ. If an accident results in the deaths of 1% of a social entity, its further functioning remains possible. But if, say, 50% of the persons concerned lose their lives, the social structure is disrupted and the continued existence of the organisation as a whole becomes doubtful, even though half the number of individuals survived the accident.

The value ofA.

A point of discussion, of course, is the choice of A. One should keep in mind that a country does not suffer from just a single riskful activity, but from series of hazardous activities, each one giving a contribution to the probability of having a large accident. So, from a theoretical point of view, the discussion on the socially acceptable level should start on a national level, incorporating all dangerous activities. For a single activity one may then derive a part of the total as an acceptance limit. Next, for each location where the activity is performed a share may be determined. The choice of A (and k) on the national level should reflect the national safety policy. Of course, large countries will have (for all hazardous activities together) larger A values then smaller countries for reasons of consistency. A country might also decide that some maximum should hold for each region, in order to prevent that one region gets all the risks and other regions have nothing.

Line elements.

A particular problem in this field is the acceptance criterion for line elements like railways, waterways, roads, pipelines, etc, intended for the transport of dangerous materials. In those cases one might for instance be interested in the acceptable failure probability per kilometre. One should, however, keep in mind that the failure event for one part of the line element may be correlated to another part. In those cases it may be more rational to find the integrated probability of having a disastrous event over the whole system and compare this to the corresponding acceptance limit. .

Frequent small accidents

Society of course also has an aversion to frequently occurring small accidents. The most important example is the car accident. Limits to these types of accidents, however are more to be found in the individual risk criterion. The (4.4) criterion in any cases is not relevant. In most countries the number of accidents is about 1 0'3 to 1 0+4 with n = 1 to 4. In Figure 4.1 this would indicate a point far above the line given by A=0.1 and k-1 . We even have to interpret the probability as a frequency. For this reason (4.4) is often considered only to be valid for n>10.

Relation between social and individual risk

It is interesting to point out that there is a relation between the individual risk and the probability of exceeding a number of casualties for some particular activity. Consider a plant where there is some danger of explosion. In the neighbourhood of this plant people are living. Let v(xy) be the number of people per unit area living at location (x,y) and let P(x,y) be the probability of a person being killed in one year if being on location (x,y). The expected number of casualties per year may then be calculated from:

So this is the expected number of casualties based on the individual risk. Based on the group risk notion, we may define the same number as:

This relation makes clear that the social or group risk requires the same information as is needed for evaluating the individual risk plus the information on the population densities.

An inconsistency in the criterion for k = l

A theoretical difficulty in applying the requirement (4.4) is the following. Consider two activities A and B, where activity A has an occurrence probability of 10" per year and results in exactly 100 fatalities; activity B is characterised exactly by P(Nd>n) = 0.1 n" for n z 1. Both activities fulfil the social safety requirement with A=0.1 and k=2. However, the expected number of fatalities per year for activity A is 0.1 while, as can easily be shown, for activity B the expectation is infinitely large. It is difficult to accept such a big difference in expectation where the criterion considers both situations as "just on the limit".

Some criteria have additionally to the A n-k line a limit to the maximum number of fatalities N,,,, for example N,, = 5000. In that case the expected number of fatalities per year can be found to be:

The sum has been approximated by an integral expression running from n=l to n=N,,,., where F(n) = P(Nd>n) and f(n) = -dF(n)/dn. For k> 1 we have in a similar way:

k E(Nd) = A [ 1 - ( 1 k) N,,,""]

So in this case the expectations are final. Fortunately the expectation is not very sensitive to N,,.

4.4 Economic criteria

In the third acceptance criterion the problem is schematised as a mathematical-economic decision problem by expressing all consequences of the disaster in terms of money (assuming a given period of time):

C, (y) = investment in a safety measure j = number of the year r = real rate of interest ci = damage costs in year j Y = decision parameter Pfi(yl = probability of failure in year j

One should realise that P8(y) denotes the failure exactly in year j, that is not in any year before or later. The term C, includes all costs after failure: it includes direct damage, cost of repair, but also all future failure costs of the repaired structure (if any). So in fact it is a quite complex term, but most contributions other then direct damage and repair may be small in most cases. The failure cost C may or may not involve a term related to a monetary value of human lives. We will come back to this issue in the next paragraph.

If PF is considered as being constant in time and the relevant period of time may be taken as an infinitely long period of time, then the optimum yearly failure probability can be found by to be:

r I'b P, (optimum) =

C,

I' = first derivative of I to the decision parameter x b = PF /(PF /dy) (for example P = exp(- (y-A) /B) , then b = B )

According to (4.6) a higher damage leads to smaller optimum failure rate as might be expected. Obviously one also has to check whether this optimum is better than present situation. So we should additionally to (4.6) also fulfil:

P,, (optimum ) C, P,, (present) C c, Ol) + =

(I + r J J < = ( 1 + r J J The point is that the present situation may be close to the optimum in which case the Co- investment is not worthwhile to do. In this comparison it is important that Co does not only include all costs but also all profits from the activity or the system.

Of course, in the general case, more then one hazard may be present and one may want to consider the optimum for all integrated safety measures.

4.5 Combination of the criteria

Most decision makers prefer to treat the economic and human safety criteria ompletely separated. It means that we take the most economical solution fiom all alternatives that are allowable fiom the human safety point of view. Mathematically that comes down to:

minimise: C,,, = C , ( Y ) + x pfi (Y) C, (1+rIJ

conditional upon: P ( 4 = P(E) * P(d1E) < P(target) (4.8b)

In (4.8a) the parameter C, represents the material losses only. This approach looks fine but may not be correct fiom a decision making point of view. It would be better to assess some amount of money to the event of death or injury. It would create a mechanism where more safe solutions are chosen if there are more people at risk. If, despite ethical objections to such an approach, a human life is rated at an amount s, an insight into the effect of this upon the optimal failure probability is obtained. For this purpose the amount for material damage is increased fiom C, to E(NJ c + C, where E m = P(dle,) N,, is the expected number of casualties and c is the "monetary value per casualty". The optimum failure probability then becomes:

conditional upon: P ( 4 = P(E) * P(d1E) < P(target) (4.9b)

So the two constraints resulting fiom the individual and the social acceptance limits are still present. The requirements (4.9) together, in fact, is representation the ALARP principle, that is measures may follow form an economic criterion but some risks are simply not accepted. Only the negligible lower bound is not defined here. A numerical example of the application of the criteria in this section can be found in Annex B.2.

Note further that for c=O the criterion is fully compatible to the first approach mentioned in this paragraph. This of course can hardly be called an attractive proposal. However, if not zero, the difficult problem of choosing a certain value for a human life has been introduced. Numerous approximations for this are to be found in the literature. One may for instance take the cash value of the net national product per inhabitant. Another approach is to determine what people are willing to pay for reductions in risk, either from what they say or from the choices they make in practice [4.11]. For example, a sample of individuals can be asked what they would be prepared to pay for a 1 or 10 per cent reduction in the risk of being killed in a

road accident; alternatively the extra wages required in occupation deemed to be dangerous can be evaluated. Finally one may look into amounts of money that are used in medical practice. The values have been summarised in Table 4.3. As one might expect, such exercises result in a wide range of values, from a few hundred thousand to few million Euro; a reasonable median value seems to be 1 .O million Euro. Another method, based on the so called Life Quality Index (LQI) may be found in [4.12] and [4.13].

Theoretical Evaluations

Whatever rule is followed, one should of course always keep in mind that ensuring a design that meets the safety targets is only the first step towards achieving a safe plant, though an indispensable one [4.9]. Safety can be delivered only by good management. The best designed plant can be compromised by poor maintenance and sloppy operational discipline.

Value for c [Euro per person]

Human capital calculations Willingness to pay (hypothetical) Road Safety (UK, 1987) Costs of medical procedures for comparison (real)

300.000 1.600.000 500.000

2.000 - 300.000 Table 4.3 Investment in Risk Reduction, per nominal life saved [University of East Anglia

5. RISK COMMUNICATION

5.1 Why communicate about risks?

A risk assessment as described in the previous chapters, even if technically perfect, is in general it is not sufficient to reach a decision. The risk assessment is a tool to help the decision making process, not the decision maker itself. Both the risk analysis as the acceptance criteria may be subject to debate. In general it is necessary to reach consensus about the various options available between the various parties involved. This process is referred to as risk communication. More formal definitions may be found in annex A.

Possible parties involved in a decision process on risk acceptance are:

politicians civil servants, officials companies (producers) insurance companies lawyers the news media the public experts

It will rarely be the case that any one of these will fill the role of being just a communicator or just the audience. In practice, the inherent exchange of information means that all will fill both roles at different times, and to different extents. In any case, someone who talks but does not listen can hardly claim to be involved in communication. As a consequence, communications about risks will normally be complex and -because of the need to bear in mind the perceptions and understandings of the differing audiences- difficult.

It is not to say that communications are always directly aimed at decision-makers only. The general public as a whole, for example, are rarely in the position to make decisions involving risk, since professionals or politicians normally make such decisions on their behalf; but they will nonetheless often be affected by those decisions. Since the public's opinions do (at least, in a democracy) matter, decision-makers will usually need to keep them informed as much as is possible. The public have an interest in risk, even though they might not always be interested in it.

Although the overall aim might be thought to be better decision-making, "better" is a multidimensional, qualitative concept -so it cannot be assumed that minimisation of risk must always be the overall objective. "Risk" is simply one factor that needs to be taken into account. A clearer objective would be to give better-informed decision-making. But here, too, "better informed" should not be thought of as referring only to the decision-makers

themselves: the term does also cover those who would be affected.

5.2 Perceptions and understandings

How does communication take place? The easy answer to this is "in any and every way". In practice, though, some ways are more common than others. A few communication forms will be discussed and the perceptions and understandings characterized.

Communications by Experts

Professionals and experts are the main group of people who might normally be expected to be trained, albeit sometimes at an elementary level, in risk identification/analysis. As such, they are more amenable to a mathematical means of communication than other groups -although even this may depend to a certain extent on the profession involved.

Methods of communication tend towards formalized approaches:

Within a profession, the emphasis is on professional journals, seminars, reports, committees etc. When communicating with clients, the communication is usually by written report, often with verbal backup, e.g. at face-to-face meetings. Communications with politicians are rarely direct, instead being via some other means such as reports to officials, by giving evidence at public enquiries etc. Contact with the public media is normally at a very minimal level, presumably because journalists do not view risks and risk-analysis as being "sexy", i.e. as being attractive and eye-catching to their readership.

The difficulty faced by the professional is that nearly all other parties no not think in teh same terms about risk. The concept of risk as the (integrated) product of consequences and probabilities is far from common in most other parties, with possible exceptions of specialised officials and company experts. However, even then communication may be hampered by relatively small differences in interpretation. Especially the high impact low probability (HILP) events, in particular when subject to large subjective uncertainty estimations, may cause deeply philosophical debates among experts themselves.

The most difficult communication, however, may be the communication with the public. The point is that the public in general has had no training in thinking of terms of risk as probability times consequence. The perception of risk may therefor be complete different. Risks are considered as unacceptably great if the consequences are large and the cause of events leading to it can be vividly imagined. This is the reason that recent catastrophes, broadly presented by the news media, always call for strong measures (see the examples in the introduction and Annex B. On the other hand, is something has never happened before or only a relatively long time ago (more than ten or twenty years) the risk in the view of the people is not so serious.

The engineer usually sees it as his task to warn against this over- and under-estimation. However, the difficulties may be large, especially as "the public" does not exist but is a mixture of individuals all having a different understandings fiom and attitudes towards risk. We will now discuss the various communications from and by the public in more detail.

CommunicationsJi.om the public

The form that the public's communications might take varies according to the circumstances. It is, however, commonly aimed at politicians and usually attempts to make use of the news media.

Immediate, one-off hazards, such as the planned construction of a chemical works in the local neighbourhood; the routing of a train carrying hazardous material or the introduction of a major road system nearby, typically give rise to protest meetings, marches, petitions, organised letters to politicians. The collection of signatures for a petition, and the organising of letters, might themselves involve people in going from door-to-door or in setting up a stand in some public place such as a market: both of which give opportunity for the handing-out of leaflets and for individual discussion. Expressed concerns normally concentrate on hazards and threats rather than risk.

Long-term, continuing hazards such as the general levels of traffic accidents and pollution can give rise to all of the forms of communications as in the immediate, one-off case. An additional mechanism of communication, commonly associated with this type of hazard, is the setting up of a recognised pressure group with formal representation on committees, working groups etc. Because the interest is in general levels (which are basically long term expectations confirmed on a regular basis), there is a natural tendency here to be more concerned with risks than threats.

Communications to the public

Communications to the public are rarely about risk per se but usually about various threats or hazards and -sometimes- their probabilities.

Communications can take place at a very personal level, such as between doctor and patient about the probabilities of the various outcomes associated with an illness or operation. In the building industry, there might be personal discussion between a surveyor/consultant etc and home-owner about the hazards associated with not carrying out some form of remedial action.

In public domains, there can be -but usually is not- some very basic discussion of probabilities in the immediate aftermath of a major incident such as an explosion or rail crash. More commonly, however, any discussion about long-term threats, such as those from smoking or fiom traffic levels, is a mixture of qualitative and quantitative information.

Role of the news media

The news media are usually viewed as being central to communications generally, and Risk is no exception.

The media play two essentially different roles: as a passive transmitter of someone else's message (as when they repeat a press release), or as an active producer, or interpreter, of a message. They will often use several sources of information, and are by no means limited to official sources. Their messages often reflect the concerns of the public and other sectors of society, but are not necessarily unbiased.

Professional journals and magazines are rarely published at even weekly intervals, more usually being monthly or quarterly. These long publication dates can combine with the the nature of professional discussion to place the emphasis on long-term probabilities and risk rather than immediate happenings.

The demands acting on the daily media, however, mean that they must inevitably tend to emphasize the short-term and so want to report immediate events such as large-scale accidents or just-published reports into areas perceived as being of public concern. Discussion about longer-term implications can [5.4] find their way into Editorials, the weekly press and discussion programmes.

5.3 The basic rules of Risk Communication to the public

Unfortunately, there is (at least, in english-speaking countries) the common expression "you can prove anything with statistics". As a result of such beliefs, the public tends to judge a message about risk not so much in terms of any information that it contains but, rather, in terms of their view of the communicator.

In addition, from the formal point of view, "information" is a measure of the surprise contained in a message. A message whose content could be completely predicted in advance contains no surprises and so carries no information, but one whose content could not be predicted at all is highly surprising and has a correspondingly high information content.

From either point of view, the information that a communication contains depends on what the audience would expect it to contain. This does depend, to a very large extent, on their view of the communicator.

For example, if a tobacco company were to say that smoking carried no risks, then the public would be unlikely to take much notice since that is what they would expect them to say, so there would be no surprise in hearing it. But if an anti-smoking pressure group were to say exactly the same thing then the surprise would be very great, and the information conveyed would be that much higher and have correspondingly greater impact and effect.

A major factor, here, is the public's view of the credibility and trustworthiness of the communicator. These are qualitative terms which are very difficult to define, but include other concepts such as [5.3]factual, knowledgeable, expert,public welfare, responsible, truthful, and good "track record'.

It is generally accepted that credibility and trust can take a long while to build up, but can be quicltly and easily destroyed by ineffective or inappropriate communication. Factors which can destroy trust in a communicator include omissions, exagerations, distortions, self-serving statements.

Cove110 and Allen [5.5], in a widely-quoted paper, took seven basic rules of good communications, and interpreted them in the context of risk communication, as follows:

Accept and involve the public as a legitimate partner. A basic tenet of risk communication in a democracy is that people and communities have a right to participate in decisions that affect their lives, their property, and the things they value. Plan carefully and evaluate performance. Risk communication will be successful only if carefully planned. Listen to thepublic's speciJic concerns. If you do not listen to people, you cannot expect them to listen to you. Communication is a two-way activity. Be honest, punk and open. In communicating risk information, trust and credibility are your most precious assets. Co-ordinate and collaborate with other credible sources. Allies, if believed to be independent, can be effective in helping you communicate risk information Meet the needs ofthe media. The media are a prime transmitter of information on risks; they play a critical role in setting agendas and in determining outcomes Speak clearly and with compassion. Technical language and jargon are useful as professional shorthand. But they are barriers to successful communication with the public.

5.4 Closure

Risk Communication: Is a very complex subject involving highly technical information, psychology, presentational skills etc. Is about involving all partners in an open and honest way. Any attempt to dissemble will almost certainly defeat the objective. Involves sending messages about complex concepts to a wide range of people and organisations with differing levels of skills and understanding, and listening to their responses: which will often be contradictory, and use apparently technical words in a non- technical sense. Requires flexibility.

6 CONCLUSIONS AND RECOMMENDATIONS

Risk is commonly estimated by the mathematical expectation of the consequences of an undesired event that often leads to the product "probability x consequences". As a rule risk of civil engineering systems is multidimensional quantity having several components.

A Risk analysis is generally contains the following steps:

scope definition, hazard identification, modelling of hazard scenarios estimation of consequences estimation of probabilities estimation of risks

The first three steps are the Qualitative Part, the last three steps the Quantitative Part. In many cases only the Qualitative part is carried out and measures are taken on an intuitive basis. Although not complete, such an analysis is certainly not without value. Better however is to include the last three steps and perform a full Quantitative Risk Analysis.

An intermediate procedure is to define a number of design hazard scenarios on the basis of step 3 and check the systems abilities to cope with them. Such an approach is often referred to as a "deterministic risk analysis". This of course is not a correct term as the selection procedure involves some implicit judgement about the probabilities and the consequences of the hazard scenarios selected. No one would select design scenarios that are expected to occur either too often or never at all. If somehow the probabilities enter the selection procedure in an explicit way, one may speak of the "semi-probabilistic" approach. Anyway, the existing gap between "probabilistic" and "deterministic" methods in Risk Analysis should be narrowed.

However, the theoretically best way to proceed is an explicit full probabilistic estimate of all the events and corresponding consequences. The next step is then to think of and evaluate measures for reducing the risks. The commonly accepted approach is to define two levels: Above the upper level the risk is considered as being not acceptable and below the lower level the risk is considered s being negligible. For the area between the limits economic considerations may govern the decision. This is considered as the ALAW-principle (As Low As Reasonably Practicable)

The upper limits may be inspired by the ethical maximum acceptable risk of individual persons or by the risk aversion of society to large disasters, usually expresses as F-n-curves. The cost optimisation may or may not include some "value of the human lives lost". This document advocates to include some value for casualties, as neglecting them is the same as choosing a value of zero.

From an objective point of view the decision process seems to end when an economic solution has been reached falling within the bounds permitted by the individual and group risk criteria. However, in practice life may be completely different. In many civil engineering applications decisions for are not made by the engineers but by others: clients, public, politicians. In other cases people may react in a different way as expected: a tunnel or bridge may be avoided if ti is considered as unsafe, true or not. It is not sufficient to ask them simply for the proper F-n- curve. The other parties involved may even fail to understand what an F-n-curve exactly is or what a cost-benefit analysis in the case of uncertainty stands for. The notions of probability, consequence and risk may have completely different meanings depending on the background and education of people. I addition to that we have to face in this discussion the High Impact Low Probability event, the subjective probability estimates, the differences in profits for the various parties involved and so on. This all makes the risk communication process a very critical, not to say random process in itself.

Some recommendations in this field may be:

Accept all parties as legitimate partners and listen to the public's specific concerns. Co-ordinate and collaborate with other independent and credible sources. Make at first sight unlikely looking but dangerous events more believable using visualisation in order to avoid under-reaction by public and authorities Accept emotional overreaction to large disasters as a fact of life, in particular shortly after a catastrophe and try to get more rational reactions in a later stage.

It should be kept in mind that public and political reactions to disasters often lead to worthwhile measures and procedures in the world of engineering that could not be reached before.

Closure

The present report presents an overview of the state of the art in Risk Assessment and Risk Communication in Civil Engineering. It is clear that this is a topic of increasing interest. Many decisions related to buildings, civil engineering structures and major civil engineering planning affect the safety of many people in a variety of ways. It is important that all concerned speak the same language and can understand each other. A good step forward might be to develop an extensive IS0 document in this field, not only standardizing the terminology, but also describing methods, interpretations and procedures for fruitful communication between the various parties involved.. Additionally, worked examples and reports of cases on the basis of such a standard would be extremely helpful.

REFERENCES

[2.1] NS 58 14, Requirements for risk analysis, 1991. [2.2] CANICSA - 4634-9 1 Risk analysis requirements and guidelines, 199 1. [2.3] IS0 2394 General principles on reliability for structures, 1998.

[2.4] ISOIDIS 8930 General principles on reliability of structures - List of equivalent terms, 1999.

[2.5] TNO report, 96-CON-R1599 Proposal for a framework in behalf of developing terminology with regard to the process of the probabilistic design andlor assessment of building and civil engineering structures with reference to IS0 8930, 1996.

[2.6] M.G.Steward and R.E.Melchers, Probabilistic risk assessment of engineering system. Chapman & Hall, London, 1997.

[2.7] EN 1990: Basis of design. CEN TC 250, Draft, November, 1999. [2.8] B.R.Ellingwood:

Documents

Risk Assessment and RiskNetherlands), F. Zuccarelli (D'Appolonia, Italy), all members of CIB TG32. Gratefully use as been made of comments given by the Joint Committee on Structural